OS Command Injection Vulnerability in Zyxel GS1900 and XGS Series
CVE-2021-35031

6.8MEDIUM

Key Information:

Vendor: Zyxel
Status: Gs1900 Series Firmware; Xgs1210 Series Firmware; Xgs1250 Series Firmware
Vendor: CVE Published:; 28 December 2021

Summary

A vulnerability has been identified in the TFTP client of Zyxel GS1900 series, XGS1210 series, and XGS1250 series firmware that allows an authenticated LAN user to execute arbitrary operating system commands through the device's graphical user interface. This flaw could potentially lead to unauthorized access and manipulation of system-level functions, posing significant security risks to the affected network devices.

Affected Version(s)

GS1900 series firmware 2.60

XGS1210 series firmware 1.00(ABTY.4)C0

XGS1250 series firmware 1.00(ABWE.0)C0

References

https://www.zyxel.com/support/Zyxel_security_advisory_for...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 28, 2021
Vulnerability Reserved
Jun 17, 2021